11.1 Overview of the Node Manager

The Node Manager enables you to start and stop the Administration Server and the managed servers.

Oracle recommends using host name verification for the communications between Node Manager and the Administration Server. This requires the use of certificates for the different addresses communicating with the Administration Server. In this chapter, the steps for configuring SOAHOST1 and SOAHOST2 certificates for host name verification are provided. Similar steps are required for WCPHOST1 and WCPHOST2. Although the appropriate host name changes in the steps are required for WCPHOST1 and WCPHOST2, the procedure and syntax are exactly the same.

11.2 Changing the Location of Node Manager Log

To change the location of the Node Manager log, edit the nodemanager.properties file located in the following directory:

MW_HOME/wlserver_10.3/common/nodemanager

Oracle recommends locating this file outside of the MW_HOME directory, and inside the admin directory for the deployment.

Add the following line to nodemanager.properties:

LogFile=ORACLE_BASE/admin/nodemanager.log

Restart Node Manager for the change to take effect.

11.3 Enabling Host Name Verification Certificates for Node Manager in SOAHOST1 and WCPHOST1

Host name verification enables communication between Node Manager and the Administration Server. This verification requires the use of certificates for the different addresses communicating with the Administration Server.

This section describes the procedure for creating self-signed certificates on SOAHOST1.mycompany.com. Create these certificates using the network name/alias.

The directory where keystores and trust keystores are maintained must be on shared storage that is accessible from all nodes so that when the servers fail over (manually or with server migration), the appropriate certificates can be accessed from the failover node. Oracle recommends using central or shared stores for the certificates used for different purposes (for example, SSL set up for HTTP invocations). In this case, SOAHOST2, WCPHOST1 and WCPHOST2 uses the cert directory created for SOAHOST1 certificates.

For information on using trust CA certificates instead, see the "Configuring Identity and Trust" section in Oracle Fusion Middleware Securing Oracle WebLogic Server.

About Passwords

The passwords used in this guide are used only as examples. Use secure passwords in a production environment. For example, use passwords that include both uppercase and lowercase characters as well as numbers.

To create self-signed certificates:

Set up your environment by running the WL_HOME/server/bin/setWLSEnv.sh script:

In the Bourne shell, run the following command on SOAHOST1:

. setWLSEnv.sh

Verify that the CLASSPATH environment variable is set:

echo $CLASSPATH

Create a user-defined directory for the certificates.

mkdir ORACLE_BASE/admin/domain_name/certs

Change directory to the user-defined directory.

cd certs

Run the utils.CertGen tool from the user-defined directory to create the certificates for SOAHOST1, SOAHOST1VHN VIP, the Admin VIP, WCPHOST1, and all HOSTS and VIPS in the environment.

11.3.2 Creating an Identity Keystore Using the utils.ImportPrivateKey Utility

The procedures described in the previous sections created an identity keystore that resides in a shared storage. In this section, new keys for SOAHOST1 and WCPHOST1 are added to the store. Import the certificate and private key for SOAHOST1, SOAHOST1VHN1, ADMINVHN and WCPHOST1 into the Identity Store. Make sure you use a different alias for each of the certificate/key pairs imported.

Follow these steps to create an identity keystore on SOAHOST1:

Create a new identity keystore called appIdentityKeyStore using the utils.ImportPrivateKey utility. Create this keystore under the same directory as the certificates (that is, ORACLE_BASE/admin/domain_name/cert).

Note:

The identity store is created (if none exists) when you import a certificate and the corresponding key into the identity store using the utils.ImportPrivateKey utility.

Import the certificate and private key for SOAHOST1, SOAHOST1VHN VIP, the Admin VIP, and WCPHOST into the identity store. Make sure that you use a different alias for each of the certificate/key pairs imported.

11.3.3 Creating a Trust Keystore Using the Keytool Utility

To create the Trust Keystore on SOAHOST1.mycompany.com.

Copy the standard java keystore to create the new trust keystore since it already contains most of the root CA certificates needed. Oracle does not recommend modifying the standard Java trust key store directly. Copy the standard Java keystore CA certificates located under the WL_HOME/server/lib directory to the same directory as the certificates. For example:

The CA certificate CertGenCA.der is used to sign all certificates generated by the utils.CertGen tool and is located at WL_HOME/server/lib directory. This CA certificate must be imported into the appTrustKeyStore using the keytool utility on HOST. The syntax is:

The passphrase entries in the nodemanager.properties file are encrypted when you start Node Manager as described in Section 11.4, "Starting the Node Manager on SOAHOST1 and WCPHOST1." For security reasons, minimize the time the entries in the nodemanager.properties file are left unencrypted. After you edit the file, start Node Manager as soon as possible so that the entries are encrypted.

11.3.5 Using a Common or Shared Storage Installation

When using a common or shared storage installation for MW_HOME, Node Manager is started from different nodes using the same base configuration (nodemanager.properties). Add the certificate for all the nodes that share the binaries to the appIdentityKeyStore.jks identity store by creating the certificate for the new node and import it to appIdentityKeyStore.jks as described in Section 11.3.1, "Generating Self-Signed Certificates Using the utils.CertGen Utility.". Once the certificates are available in the store, each node manager must point to a different identity alias to send the correct certificate to the Administration Server.

Some examples showing how to set different environment variables before starting Node Manager in the different nodes:

Ensure that you specify the custom identity alias specifically assigned to each host, so appIdentity1 for ...HOST1 and appIdentity2 for ...HOST2, and so on.

Follow the same step to start the node manager on WCPHOST1.

11.5 Enabling Host Name Verification Certificates for the Node Manager in SOAHOST2 and WCPHOST2

Host name verification enables communication between Node Manager and the Administration Server. This verification requires the use of certificates for the different addresses communicating with the Administration Server.

Perform these steps to set up SSL for communication between the Node Manager and the Administration Server:

This section describes the procedure for creating self-signed certificates on SOAHOST2 and WCPHOST2. Create these certificates using the network name/alias.

The directory where keystores and trust keystores are maintained must be on shared storage that is accessible from all nodes so that when the Administration Server, SOA servers, or WCP servers fail over, (manually or with server migration), the nodes can access the appropriate certificates. In this case, SOAHOST2 uses the cert directory created for SOAHOST1 certificate and WCPHOST2 uses the cert directory created for WCPHOST1 certificates. If you are maintaining duplicated stores, create user-defined directory for the certificates.

Create self-signed certificates using the untils.CertGen utility using the network name/alias.

For information on using trust CA certificates instead, see the "Configuring Identity and Trust" section in Oracle Fusion Middleware Securing Oracle WebLogic Server.

To create self-signed certificates on SOAHOST2 and WCPHOST2:

Set up your environment by running the WL_HOME/server/bin/setWLSEnv.sh script:

In the Bourne shell, run the following command:

. setWLSEnv.sh

Verify that the CLASSPATH environment variable is set:

echo $CLASSPATH

Create a user-defined directory for the certificates.

mkdir certs

Change directory to the user-defined directory.

cd certs

Run the utils.CertGen tool from the user-defined directory to create the certificates for both SOAHOST2, SOAHOST2VHN1, and WCPHOST2.

11.5.2 Creating an Identity Keystore in Using the utils.ImportPrivateKey Utility

The procedures described in the previous sections created an Identity keystore that resides in a shared storage. In this section new keys for SOAHOST2 and WCPHOST2 are added to the store. Import the certificate and private key for SOAHOST2, SOAHOST2VHN1, and WCPHOST2 into the Identity Store. Make sure you use a different alias for each of the certificate/key pairs imported.

Follow these steps to create an identity keystore on SOAHOST2.mycompany.com:

Create a new identity keystore called appIdentityKeyStore using the utils.ImportPrivateKey utility. Create this keystore under the same directory as the certificates (that is, ORACLE_BASE/admin/domain_name/cert).

Note:

The identity store is created (if none exists) when you import a certificate and the corresponding key into the identity store using the utils.ImportPrivateKey utility.

Import the certificate and private key for both SOAHOS21, SOAHOST2VHN1, and WCPHOST2 into the identity store. Make sure that you use a different alias for each of the certificate/key pairs imported.

For security reasons, you want to minimize the time the entries in the nodemanager.properties file are left unencrypted. After you edit the file, you should start Node Manager as soon as possible so that the entries get encrypted.

Ensure that you specify the custom identity alias specifically assigned to each host, so appIdentity1 for ...HOST1 and appIdentity2 for ...HOST2, and so on.

Follow the same step to start the node manager on WCPHOST2.

11.7 Configuring WebLogic Servers to Use the Custom Keystores

Configure the WebLogic Servers to use the custom keystores using the Oracle WebLogic Server Administration Console. Complete this procedure for the Administration Server, and all the managed servers (WLS_WSMn, WLS_SOAn, WC_Spacesn, WC_Collaborationn, WC_Utilitiesn, and WC_Portletn).

The example directory path given in Step 6 is just an example. Oracle does not recommend putting keystores into the aserver directory, but recommends putting the keystore in shared storage. Having a separate directory for certificates is a better solution.

To configure the identity and trust keystores:

Log in to the Administration Console, and click Lock & Edit.

In the left pane, expand Environment, and select Servers.

Click the name of the server for which you want to configure the identity and trust keystores.

Select Configuration, and then Keystores.

Click the Change button next to the Keystores field, and then select the Custom Identity and Custom Trust method for storing and managing private keys/digital certificate pairs and trusted CA certificates.

This attribute may be optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server reads only from the keystore, so whether or not you define this property depends on the requirements of the keystore.